Source: thenewstack.io
How to Guard Against Kerberoasting Attacks
The cyberattack method called Kerberoasting has been around for a while. In December 2020, the U.S. Department of Homeland Security issued a directive instructing federal agencies to guard against Kerberoasting as part of mitigating the danger of the SolarWinds attack.
Once attackers are inside the targeted environment, they execute Kerberoasting to steal hashes for service account credentials.
Host-based service accounts use a 128-character, randomly generated password that is changed every 30 days, and group managed service accounts (gMSAs) have random, complex, >100-character passwords that are changed automatically.
Because of the amount of noise that approach might create, a better strategy for stopping these types of attacks might simply be to require stronger passwords for service accounts.
Once attackers are inside the targeted environment, they execute Kerberoasting to steal hashes for service account credentials.
Host-based service accounts use a 128-character, randomly generated password that is changed every 30 days, and group managed service accounts (gMSAs) have random, complex, >100-character passwords that are changed automatically.
Because of the amount of noise that approach might create, a better strategy for stopping these types of attacks might simply be to require stronger passwords for service accounts.
Related Articles
Community Partners
DevOps Careers